From: Willy Tarreau <w@1wt.eu>
Date: Wed, 12 Apr 2017 20:32:04 +0000 (+0200)
Subject: BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error
X-Git-Tag: v1.8-dev2~87
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0622f02b5aac4ae104f809a6beb836ccecef9a60;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error

If make_arg_list() fails to process an argument after having queued an
unresolvable one, it frees the allocated argument list but doesn't remove
the referenced args from the arg list. This causes a use after free or a
double free if the same location was reused, during the deinit phase upon
exit after reporting the error.

Since it's not easy to properly unlinked all elements, we only release the
args block if none of them was queued in the list.
---

diff --git a/src/arg.c b/src/arg.c
index ca914faa9c..52977b7180 100644
--- a/src/arg.c
+++ b/src/arg.c
@@ -104,6 +104,7 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp,
 	char *word = NULL;
 	const char *ptr_err = NULL;
 	int min_arg;
+	struct arg_list *new_al = al;
 
 	*argp = NULL;
 
@@ -165,7 +166,7 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp,
 			 * parsing then resolved later.
 			 */
 			arg->unresolved = 1;
-			arg_list_add(al, arg, pos);
+			new_al = arg_list_add(al, arg, pos);
 
 			/* fall through */
 		case ARGT_STR:
@@ -282,7 +283,12 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp,
 
  err:
 	free(word);
-	free(*argp);
+	if (new_al == al) {
+		/* only free the arg area if we have not queued unresolved args
+		 * still pointing to it.
+		 */
+		free(*argp);
+	}
 	*argp = NULL;
 	if (err_arg)
 		*err_arg = pos;